© 2022 SOC Prime Inc.
All rights reserved. This product and documentation related are protected by copyright and distributed under licenses restricting their use, copying, distribution, and decompilation. No part of this product or documentation related may be reproduced in any form or by any means without the prior written authorization of SOC Prime. While every precaution has been taken in the preparation of this book, SOC Prime assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
SOC Prime Platform
Unlocking Mechanism
We've improved the on-demand Sigma rule unlock mechanics to prevent unintentional unlocks. Now, after opening an on-demand Sigma rule's Code tab or clicking Hunt to use such a rule in Quick Hunt, the user always sees a message offering to unlock the rule using the on-demand Sigma balance.
When the rule is unlocked, a confirmation popup appears under the balance counter.
On-Demand Sigma Balance
We've added the counter that displays the current on-demand Sigma balance on the following pages:
Advanced Search
Detection Engineering
MITRE ATT&CK®
Content Availability Filter
We've substantially enhanced the Content Availability filter in Advanced Search and Detection Engineering, providing more granularity.
Now, you can filter search results for the following types of content:
Available for Me: Alerts and Queries for which you have access to code (can download or deploy it)
Git Free Access: Alerts and Queries based on Sigma rules sourced from SigmaHQ, a free GitHub repository of the Sigma community
Promo: Alerts and Queries opened by SOC Prime to all users as part of a promotion effort
Unlocked: Alerts and Queries unlocked with your on-demand Sigma balance (individual under a Community plan and shared across your organization under an On Demand plan)
Subscription based: content available under a certain subscription plan
On Demand: Alerts and Queries available on demand under an On Demand plan. Users with a Community plan get 2 on-demand Sigma rules on their individual balance each week.
Enterprise Only: Content Packs, Configs, Playbooks, Premium Apps, YARA Rules, Red Tests, and Snort Rules
Other: types intended only for backward compatibility with a previous availability model
Basic: Community content (deprecated category)
Advanced: Exclusive content (deprecated category)
Content Availability Statuses
We've improved naming and tooltips for content availability statuses:
Git Free Access: Sigma rule from the SigmaHQ repo available to all users
Promo: Sigma rule available to all users
Unlocked: Sigma rule unlocked using your On Demand balance
On Demand: Sigma rule you can unlock using your On Demand balance
Enterprise Only: Content available only under an Enterprise plan
Carbon Black Integration for Quick Hunt
With this release, we've added a hunt (web search) integration with Carbon Black Cloud Console.
Now, you can run queries in your Carbon Black Cloud Console environment directly from Quick Hunt.
You can open the setup modal to configure integration with your Carbon Black Cloud Console environment in one of the following ways:
Go to Integration > Environments and click Create Profile
Go to Quick Hunt, choose your platform, and select Create New Environment in the Environment dropdown
To set up integration with your environment, follow these steps:
Give your profile a name and choose if you want to share it with your team.
Copy your Carbon Black web console URL from your browser and paste it into the Carbon Black Cloud Console URL field. The field is pre-filled with a default value you can change as needed.
Optionally, set up and select a Custom Field Mapping profile.
Click Save Changes.
Check the connection status of your environment integration on the Environments page.
Improved Sorting
With this release, we've improved the Smoking Guns, Microsoft, and Google Chronicle sorting options. Now, all content that does not match the sorting criteria altogether is not shown at all rather than being displayed at the bottom of the results.
Uncoder CTI
We've improved the syntax of queries in Uncoder CTI generated for Microsoft Defender for Endpoint by replacing the =~ operator with has.
ArcSight Rule Translation Improvement
To ensure the correct translation into this platform format, we’ve updated
the conversion logic for startswith and endswith modifiers in a Sigma rule. Previously, they could be translated as CONTAINS if applied to a list. Now, even in this case, startswith is translated as STARTSWITH and endswith as ENDSWITH.
Continuous Content Management
Jobs for Splunk
We've added Splunk as an option in the Platform dropdown of the Create New Job and Edit Job menus.
Now, to stream rules to your Splunk environment, you can configure Jobs in CCM and then add them in the data input of SOC Prime CCM App for Splunk installed in your Splunk instance.
Since Jobs are connected and scheduled in SOC Prime CCM App for Splunk, Job settings in CCM have Environment and Schedule fields disabled.
Accordingly, Debug Logs and Run Now options are not available for Splunk Jobs.
Inventory Synchronization
We've improved the Inventory synchronization mechanism to prevent cases when content is duplicated.
Before, if synchronization failed due to integration environment unavailability, for example because credentials had expired, all content in Inventory was marked as Deleted. When a further synchronization was successful, all content from the user's SIEM was pulled with a relevant status and became duplicated in Inventory since the old Deleted content was kept as well.
Now, we check if the IDs of the content pulled after a failed synchronization is already present in Inventory and, if so, update the corresponding content items.
UI Improvement
We've added a tooltip on the API page informing the user that allowed IPs and IP ranges should be in the CIDR notation.
Custom Field Mapping Improvement
To extend the configuration capabilities and cover all possible cases, we've made the Default Source (Table/Index) field editable for all platforms and log sources.
Videos in Help Center
We've updated the video tutorials in our Help Center to help new users master the SOC Prime Platform and learn about the latest capabilities.
Cyber Threat Search Engine Improvements
Platforms Filter
We've added a Platforms filter that enables search for only those Sigma rules that have translations into the selected platform format.
With this filter, you can get actionable search results and be sure that the content found is applicable for your security platform.
This filter is combined with other filters using AND operator.
Key Bug Fixes & Improvements
With this release, we’ve made the following key bug fixes and improvements to enhance the user experience with the SOC Prime Platform:
Fixed a bug in the mobile version of Cyber Threat Search Engine where in some cases buttons in popups did not work.
Corrected a typo on the Detection as Code page at my.socprime.com.
Fixed an issue with the Content Name search field on the MITRE ATT&CK page. Previously, the page reloaded if you hit Enter while the cursor was in the field.
Fixed a bug where in some cases the amount of unexplored content could differ slightly between Log Source Coverage and Advanced Search.
Resolved several issues in Continuous Content Management:
Fixed an error that in some cases appeared during deployment of an Inventory Content List in CCM
Resolved an issue that prevented applying the default Custom Field Mapping based on Log Source in a Job or resulted in applying a wrong mapping profile.
Fixed a bug that could prevent successful deployment of rules with alternative translations
Fixed filtering by Environment and Job on the Content Lists page of CCM
Resolved an issue that sometimes resulted in displaying the warning about reaching the content amount limit in a Dynamic Content List when this limit was not reached
Added whitespace trimming after values entered in Include Tags and Exclude Tags fields of Dynamic Content List settings
Fixed a bug where an attempt to save changes in Custom Field Mapping settings after a period of inactivity resulted in a 400 error (Bad Request).